Just wanted to say that Cloudflare API is extremely dangerous to use if one of the server is hacked. Any one with a compromised server can change all the DNS records, issue a new Lets Encrypt SSL certificate and redirect all the web traffic to their own servers without the owner of domain knowing anything. They can get all the credentials and credit card numbers for a site visitor. I just transferred my domain from Google domains since it is shutting down. There are many posts about this problem in Cloudflare community but the admins are refusing to do anything about it and think they have to give full access to complete zones. Cloudflare needs to add a new api restricted to a specific record and can easily be added in the backend API servers.
(if API == subdomain) : true : false
Hopefully someone from Cloudflare understands that is a bad idea to have full unrestricted API with no control.
Yes, if your control over a domain is compromised, bad actors can do malicious things to your domain. The rest of your argument is a non-sequitur.
3 Likes
You can create API tokens scoped to specific resources and permissions. You can also lock them down to only be accessible via certain IP ranges. Do not use the global API Key if you need these features.
2 Likes